Wazuh not showing Integrity monitoring event /var/www directory

[Alpi Parta]

Hello team,
I installed Wazuh for the first time with the aim of monitoring changes (add, delete, edit) files in the /var/www directory, but the Wazuh that I installed cannot monitor file changes in the directory I want.
saya bisa memonitoring pada direktori lai, contohnya /home, /var/lib,
 give me advice, thanks

[Md. Nazmur Sakib]

Hi Alpi Parta, You can define the directory like this.

<directories check_all="yes" realtime="yes">/var/www</directories>

You can check this document for configuration:
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html

If this does not work, please share the syschcek block configuration from your agent’s ossec.conf

Also, share the output of this command from your agent’s endpoint, after restarting the agent.

cat /var/ossec/logs/ossec.log | grep "Monitoring path"

Looking forward to an update on the issue.

[Alpi Parta]

I have tried it, but the /var/www directory cannot be read in the Integrity monitoring event wazuh, here is the configuration

 <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>200</frequency>

    <scan_on_start>yes</scan_on_start>

   <!-- Directories to check  (perform all possible verifications) -->
   <!-- <directories>/etc,/usr/bin,/usr/sbin</directories> -->
   <!-- <directories>/bin,/sbin,/boot</directories>vv-->

   <directories check_all="yes" realtime="yes">/var/www</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>


    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

 cat /var/ossec/logs/ossec.log | grep "Monitoring path"

2024/05/17 10:39:31 wazuh-syscheckd: INFO: (6003): Monitoring path: '/var/www', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | whodata'.
2024/05/17 10:44:40 wazuh-syscheckd: INFO: (6003): Monitoring path: '/var/www', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | realtime'.
2024/05/17 10:45:50 wazuh-syscheckd: INFO: (6003): Monitoring path: '/var/www', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | realtime'.

[Md. Nazmur Sakib]

Based on the log you have shared. FIM is working for the directory path

/var/www

I can see you have added

<ignore type="sregex">.log$|.swp$</ignore>

Which means files with extensions .log and .swp will be ignored.

Create a file with a different extension on /var/www folder and check if that triggers any alert or not.

vi /var/www/test.txt

If this doesn't trigger any alert share the output of this command from your agent and Wazuh manager server.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

Looking forward to your update on the issue.